[BUG] Bash deny rules appear non-recursive for nested execution contexts ($(), backticks, subshell, eval, PowerShell wrapper)
Resolved 💬 4 comments Opened Mar 27, 2026 by Pro777 Closed Apr 26, 2026
Summary
Potential policy-enforcement gap in Claude Code 2.1.78: deny matching may not recursively evaluate inner payloads when execution is routed through wrapper shell invocations.
This report intentionally omits operational reproduction payloads in public.
Scope (public)
- Top-level chain operators (
&&,;,||,|) are not the current claim. - Current claim is limited to wrapper-mediated inner-command evaluation under specific allow/deny combinations.
Observed Risk
A command intended to be denied can still execute when embedded in an allowed wrapper path, producing a policy trust/control mismatch.
Evidence Status
Validated on reporter side with:
- command transcript logs
- policy decision artifacts (
permission_denialsstate) - before/after file-state receipts
Full reproduction details and artifacts are available for maintainer/security review via private channel.
Requested handling
If maintainers want full PoC, please provide preferred private intake route and I will share the complete reproducible bundle immediately.
Related context
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗